Some port scanners only scan the most common, or most commonly vulnerable, port numbers on a given host. See: List of TCP and UDP port numbers.
The result of a scan on a port is usually generalized into one of three categories:
Open ports present two vulnerabilities of which administrators must be wary:
Closed ports only present the latter of the two vulnerabilities that open ports do. Blocked ports do not present any reasonable vulnerabilities. Of course, there is the possibility that there aren't any known vulnerabilities in either the software or operating system at this given time.
The information gathered by a port scan has many legitimate uses, including the ability to verify the security of a network. Port scanning can however also be used by those who intend to compromise security. Many exploits rely upon port scans to find open ports and send large quantities of data in an attempt to trigger a condition known as a buffer overflow. Such behavior can compromise the security of a network and the computers therein, resulting in the loss or exposure of sensitive information and the ability to do work.
SYN scan is the most popular form of TCP scanning. Rather than use the operating system's network functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as "half-open scanning", because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed.
The use of raw networking has several advantages, giving the scanner full control of the packets sent and the timeout for responses, and allowing detailed reporting of the responses. There is debate over which scan is less intrusive on the target host. SYN scan has the advantage that the individual services never actually receive a connection while some services can be crashed with a connect scan. However, the RST during the handshake can cause problems for some network stacks, particularly simple devices like printers. There are no conclusive arguments either way.
The simplest port scanners use the operating system's network functions and is generally the next option to go to when SYN is not a feasible option. Nmap calls this mode connect scan, named after the Unix connect() system call. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection. Otherwise an error code is returned. This scan mode has the advantage that the user doesn't require special privileges. However, using the OS network functions prevents low-level control, so this scan type is less commonly used.
UDP scanning is also possible, although there are technical challenges. UDP is a connectionless protocol so there is no equivalent to a TCP SYN packet. However, if a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method, and use the absence of a response to infer that a port is open. However, if a port is blocked by a firewall, this method will falsely report that the port is open. If the port unreachable message is blocked, all ports will appear open. This method is also affected by ICMP rate limiting.
An alternative approach is to send application-specific UDP packets, hoping to generate an application layer response. For example, sending a DNS query to port 53 will result in a response, if a DNS server is present. This method is much more reliable at identifying open ports. However, it is limited to scanning ports for which an application specific probe packet is available. Some tools (e.g. nmap) generally have probes for less than 20 UDP services, while some commercial tools (e.g. nessus) have as many as 70. In some cases, a service may be listening on the port, but configured not to respond to the particular probe packet.
To cope with the different limitations of each approach, some scanners offer a hybrid method. For example, using nmap with the -sUV option will start by using the ICMP port unreachable method, marking all ports as either "closed" or "open|filtered". The open|filtered ports are then probed for application responses and marked as "open" if one is received.
ACK scanning is one of the more unique scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and their rulesets. It does this by only setting the RST flag in the packet to determine whether or not the packet will come back, regardless of the port being open or closed.
Rarely used because of its outdated nature, window scanning is fairly untrustworthy in determining whether a port is opened or closed. It generates the same packet as an ACK scan, but checks whether the window field of the packet has been modified. When the packet reaches its destination, a design flaw attempts to create a window size for the packet if the port is open, flagging the window field of the packet with 1's before it returns to the sender.
While this method has been phased out almost completely, using this scanning technique with systems that no longer support this implementation returns 0's for the window field, labeling open ports as closed.
Since SYN scans aren’t surreptitious enough, firewalls are generally scanning for and blocking packets in the form of SYN packets. Presented in 1996 issue of Phrack 49, article 15, by Uriel Maimon. It is documented that FIN packets are able to pass by firewalls with no modification to its purpose. Closed ports reply to a FIN packet with the appropriate RST packet, whereas open ports ignore the packet on hand. This is typical behavior due to the nature of TCP, and is in some ways an inescapable downfall. Systems vulnerable to this type of scan are most Unix and NT systems. Microsoft is immune in that it is not bias in the port state and will send a RST packet regardless of the port being open or closed.
Allowing the entire scan to be completely set up by the user, this scan technique is more for advanced purposes when standard scanning techniques lack in certain areas.
Some more unusual scan types exist. These have various limitations and are not widely used. Nmap supports most of these.
Many Internet service providers deny their customers the ability to perform port scans outside of their home networks. This is usually covered in the Terms of Service or Acceptable Use Policy to which the customer must have already agreed. Other public and private networks may also place such limitations upon their users.
Some ISPs implement Packet filters or Transparent proxies that prevent outgoing port scans being able to access certain ports. For example, if an ISP provides a transparent HTTP proxy on port 80, port scans of any address will appear to have port 80 open, regardless of target host's actual state.
Caught in the Net: As Online Frauds Escalate, Knowledge of Cyber Laws Will Help You Rake in the Moolah without Taking Too Many Risks, Finds DNA Education
Dec 17, 2012; "The era of information technology and e - governance has today facilitated faster business operations and made life easier and...